* @copyright Bernhard Posselt 2014 */ namespace OC\AppFramework\Middleware\Security; use OC\AppFramework\Http\Request; use OC\AppFramework\Utility\ControllerMethodReflector; use OCP\AppFramework\Http\Response; class CORSMiddlewareTest extends \Test\TestCase { private $reflector; protected function setUp() { parent::setUp(); $this->reflector = new ControllerMethodReflector(); } /** * @CORS */ public function testSetCORSAPIHeader() { $request = new Request( [ 'server' => [ 'HTTP_ORIGIN' => 'test' ] ], $this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock() ); $this->reflector->reflect($this, __FUNCTION__); $middleware = new CORSMiddleware($request, $this->reflector); $response = $middleware->afterController($this, __FUNCTION__, new Response()); $headers = $response->getHeaders(); $this->assertEquals('test', $headers['Access-Control-Allow-Origin']); } public function testNoAnnotationNoCORSHEADER() { $request = new Request( [ 'server' => [ 'HTTP_ORIGIN' => 'test' ] ], $this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock() ); $middleware = new CORSMiddleware($request, $this->reflector); $response = $middleware->afterController($this, __FUNCTION__, new Response()); $headers = $response->getHeaders(); $this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers)); } /** * @CORS */ public function testNoOriginHeaderNoCORSHEADER() { $request = new Request([], $this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock()); $this->reflector->reflect($this, __FUNCTION__); $middleware = new CORSMiddleware($request, $this->reflector); $response = $middleware->afterController($this, __FUNCTION__, new Response()); $headers = $response->getHeaders(); $this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers)); } /** * @CORS * @expectedException \OC\AppFramework\Middleware\Security\SecurityException */ public function testCorsIgnoredIfWithCredentialsHeaderPresent() { $request = new Request( [ 'server' => [ 'HTTP_ORIGIN' => 'test' ] ], $this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock() ); $this->reflector->reflect($this, __FUNCTION__); $middleware = new CORSMiddleware($request, $this->reflector); $response = new Response(); $response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE'); $response = $middleware->afterController($this, __FUNCTION__, $response); } }